So far, Trezor claims that user funds and private keys were not compromised. Researchers from Ledger’s Donjon team, the security division of Trezor’s direct competitor, found a flaw in the TROPIC01 secure element chip during an audit. This chip is made by Tropic Square, Trezor’s sister company, and is billed as the first secure element chip with publicly available hardware design and firmware source code.

Ledger researchers reveal a flaw in Trezor Safe 7

The researchers used a high-tech method called laser fault injection. The researchers physically opened the chip package and then shot a precise infrared laser at the silicon to mess with the signature verification process. This allowed them to run their own unauthorized code on that specific chip. Tropic Square provided commercial chip samples to Donjon for evaluation, and the team reported the flaw in late January 2026.

After receiving Donjon’s findings, Tropic Square’s own engineers found a related attack path that could extract an additional secret tied to the chip’s PIN protection functions. Due to the vulnerability being at the hardware level, it cannot be patched through a software update for existing Safe 7 devices, Trezor confirmed. Tropic Square said it is already producing a new chip batch that addresses the flaw, but users do not need to take any action.

The company stressed that the Safe 7 uses three independent physical security layers, and the TROPIC01 chip is only one of them. Private keys and wallet backups are not stored on the affected chip. Exploiting the vulnerability also requires physical possession of the device, disassembly, backside decapsulation of the chip package, and access to specialized laser fault injection equipment.

Blockchain security firm Cyvers said that the attack appears “highly impractical” for real-world use. “Hardware wallet security should not be evaluated only by whether a chip can eventually be attacked in a lab,” Cyvers CEO Deddy Lavid said. In his view, phishing, seed phrase theft, and blind-signing are far larger threats for most users.

The post Ledger researchers reveal chip flaw in Trezor Safe 7, says funds not at risk first appeared on Coinfea.

The feature, which was released on Thursday alongside the new Nano Gen5 device and an upgraded Ledger Wallet app, replaces the old Ledger Live application. The multisig feature is the first integrated system developed by Ledger, with the firm allowing multiple people to sign and verify transactions. The company noted that this process is handled through the company’s backend instead of relying on third-party tools. Previously, users relied on Specter or Sparrow to handle multisig transactions on Ledger hardware wallets. Unlike Ledger’s integrated multisig feature, Specter and Sparrow are open-source tools available for anyone to utilize or fork.

Ledger unveils new multisig feature

Ledger has now announced a “Multisig Fee” on top of network fees. The fee is broken down into two parts: a $10 flat fee for standard crypto transfers and a variable fee of 0.05% on token transfers. “Ledger charges a fee for the secured and facilitated access it provides to these services through Ledger Multisig (‘Transaction Fee’),” Ledger said on its website’s FAQ section. Developers and security researchers across the crypto sphere have criticized the move, calling it unnecessary and profit-driven.

Pcaversaccio, a developer and security researcher from SEAL-911, said Ledger’s new model turns users who want the multisig feature into a revenue stream. He said the feature turns multisig users into “cash cows.” Pcaversaccio described Ledger as a “single choke point for all crypto so you can squeeze everyone through it.” This approach goes against Ledger’s cypherpunk origins. Sarnavo, an Avalanche ecosystem dev, said the whole crypto community is “frustrated” because of the new upgrade.

He listed other problems, such as Ledger’s closed-source user interface (UI). Crypto users have no way to verify transaction signing, how data moves, or what is being stored on Ledger’s backend servers. Sarnavo also pointed out a hidden transaction service used for coordinating multisig signatures. Ledger did not disclose the type of data the server handles, which leaves users clueless about their privacy.

Ledger released the new multisig feature along with clear signing on new devices. However, the original Ledger Nano S is left behind and will not receive those updates because it lacks the required memory storage to convert complex transaction data into readable text. Ledger released the new features alongside its Nano Gen5 device on Thursday. The upgraded hardware wallet is priced at $179, way higher than the older Ledger Nano S, which previously sold for around $59.

According to the company, the Nano Gen5 is more than a hardware wallet. It acts as a “signer” designed to handle identity verification and transaction approvals in what Ledger calls the artificial intelligence (AI) era. The Nano Gen5 also comes with new features such as an E-Ink touchscreen, Bluetooth 5.2, USB-C connectivity, and enhanced security chips. Ledger has sold over 6 million hardware wallets, helping crypto users secure billions of dollars. The company did not release any official comments or respond to the backlash from the crypto community.

The post Ledger unveils new multisig feature with fees amid market backlash first appeared on Coinfea.

Blockstream posted the alert to its followers and the general public on X, urging users to watch out for fake messages. The company said official firmware updates are only on its GitHub page and website.

Blockstream denies sending update emails to users

Hackers have been sending fake emails to users of Blockstream’s Jade hardware wallet, pretending to be the company. The scammers also announced a new firmware update that even cited version numbers with download links. Blockstream said it looked into the issue and issued warnings to its users. According to the company, its technology is still safe, and the attacks did not compromise any Jade devices.

Blockstream also told users to download its updates only through Blockchain’s official website or GitHub repository because it never sends them out through email. The platform also advised users on how to protect themselves from similar scams in the future. They said phishing attacks only work because exploiting human behavior is easier than infiltrating devices.

The platform asked users to ignore suspicious messages, even if they look professional, and verify the source through trusted channels. If anyone clicks on a link without being 100% sure, just because it looks real, the attacker succeeds, even if the hardware is foolproof. Blockchain announced the launch of Jade in 2021 for around $65 as an entry-level hardware wallet.

According to reports, the device was more affordable than most advanced cold storage devices and could compete with products such as Ledger and Trezor. Due to this, attackers knew the easiest way to bypass the device’s protection was by going after the owners themselves.

Scams and hacks made away with more than $3.1 billion in the first half of 2025, according to security company Hacken, and that figure exceeds the total amount lost in 2024. Big hacks, in which Orbit Bridge lost $305 million to hackers in April or where Kraken was hit for $110 million in June, show that the attacks also target established companies and platforms. As recently reported by Cryptopolitan, August crypto hacks and exploits increased, but the report did not disclose the total scale of losses.

The post Blockstream alerts Jade wallet users to new phishing scam first appeared on Coinfea.

These letters ask recipients to provide their 24-word recovery phrases under the pretense of performing a security update. Ledger has responded by confirming the scam and assuring users that their devices remain secure.

Scammers use old data breach to target users

Tech commentator Jacob Canfield received a counterfeit letter from Ledger’s name which many other individuals also got. A legitimate branding presentation and proper business address and reference number made this communication seem official. Users who failed to validate a vital security upgrade would encounter restricted wallet access according to the message. The fraudulent emails might specifically target victims from the 2020 Ledger data breach that released details of more than 270,000 customers.Canfield reported this.

Other hardware wallet users and resellers have also reported receiving similar scam letters. Some users claimed to have received fake devices tampered with and designed to install malware. The scam appears to be an attempt to exploit the older breach to drain users’ wallets.

QR code scam asks for recovery phrases

The fraudulent letters contained QR codes while telling people to read them before following commands. According to the reported instructions people needed to provide their private recovery phrase which granted intruders access to their crypto wallets. According to a statement from Ledger the letters were determined fraudulent and the company denied any policy to request recovery phrases from users.

Canfield posted screenshots of the letter to warn others in the crypto community. He advised people to be cautious and to alert friends and family who may not be familiar with security threats. Ledger emphasized that while it blocks scammers and reports them, it cannot fully control what others publish on platforms or send by mail.

Ledger urges users to stay alert

Ledger praised Canfield for raising awareness and reminded users that the company does not make unsolicited requests for recovery phrases. The company also confirmed that it would never contact users by phone or social media to ask for sensitive information. Ledger added that its hardware wallets are designed to protect user funds, even in cases of external fraud attempts.

The company encouraged all users to ignore suspicious messages and avoid contact with anyone claiming to be from Ledger offering help with fund recovery.

The post Ledger Users Targeted by Scam Letters Demanding Recovery Phrases first appeared on Coinfea.

The scam was reported on December 15, with the scammers using Amazon’s AWS to mask legitimacy. The phishing emails are used to steal the user’s recovery phrase, giving the scammers total control of the wallet. The campaign has been very fruitful for the scammers due to the reference to the previous 2020 Ledger data breach. During the period, users’ information was exposed, with the company rallying around to contain the issue.

Phishing emails appear to be from Ledger’s official address

According to reports, the emails looked official, following a careful pattern of legitimacy. The email appeared under the header “Security Alert: Data Breach May Expose Your Recovery Phrase” and appears to come from “Ledger support@ledger.com.” However, investigations revealed that the scammers used the SendGrid email marketing platform to send the messages.

Users who click the “Verify My Recovery Phrase” button in the emails are taken through several stages. The first stage is a suspicious Amazon AWS website with the URL: product-ledg.s3.us-west-1.amazonaws.com. After that stage, the users are sent to the phishing website. The phishing website is detailed, checking the seed words entered against all valid components. The real-time validation makes it appear legitimate to users.

The scammers also ensured that users entered their seed phrases multiple times by saying the initial submission was invalid. Other versions of the emails have also been discovered, with a firmware upgrade notification following the pattern of stealing users’ assets. As soon as the user enters a word, the server transmits it to the scammers immediately.

Ledger issues repeated security reminders

Ledger has issued an update concerning the phishing incident, reiterating to users that it will never demand their seed phrases or logins via emails or any other means. Some of its security tips have shown that users can only use recovery phrases when setting up a new wallet or recovering an existing one. In addition, the firm mentioned that the actions are performed on the physical Ledger wallets.

The company also reminded users to always input the URL into the browsers themselves instead of clicking any links. Users were also asked to treat any email from Ledger with caution, especially the ones talking about breaches. In addition, users were advised to store their seed phrases offline and in a secure location. For users who feel their seed phrases are compromised or they have entered them on a website, the company advised immediate movement of all the funds in the wallet.

The post Ledger users suffer phishing attacks, lose digital assets to scammers first appeared on Coinfea.

A necessary step to attract new crypto users?

The concept behind Ledger Recover stems from the fundamental challenge of balancing user experience with stringent security protocols. The crypto industry has long been grappling with the conundrum of how to make its offerings user-friendly without compromising the technology’s core ideals.

Ledger’s solution, according to CEO Pascal Gauthier, is Ledger Recover, a subscription-based service designed to secure user seed phrases against loss. The mechanism involves encrypting and dividing a user’s private key into three fragments, each stored by separate companies, including Ledger, Coincover, and an undisclosed backup service provider. Gauthier defended the initiative during a recent Twitter Space session, stating that the service aligns with the demands of future customers and will pave the way for millions to onboard to crypto.

However, the crypto community’s reaction to the service has been less enthusiastic.

Community Outcry: A violation of core crypto tenets?

Critics argue that Ledger Recover undermines the core purpose of hardware wallets to offer the highest level of security for crypto assets. The crux of the backlash revolves around the requirement for Ledger Recover customers to provide government-issued ID to access the service, a step some argue contravenes crypto’s foundational privacy principles.

High-profile critics have publicly denounced the new feature, including Bitcoin investor Alistair Milne and Mudit Gupta, the Chief Information Security Officer at Polygon Labs. Their sentiments echoed the concerns of many within the community, who questioned why users would entrust their private keys and personal information to Ledger, particularly in light of the company’s security breach in 2020.

Despite the opposition, Ledger’s leadership remains resolute in defending its security practices. Co-founder Nicolas Bacca emphasized that the new recovery service, which is entirely optional, doesn’t represent any form of a “backdoor.” Additionally, Ian Rogers, Ledger’s Chief Experience Officer, reminded users that they have a choice and should be aware of who they entrust their information to.

Ledger’s CEO has thrown the gauntlet to critics as the backlash continues. Gauthier challenged detractors anticipating another security breach within the next 12 months, citing the company’s successful operation of 6 million devices without compromise or backdoor installations.

While Ledger Recover represents an innovative attempt to bridge the gap between user experience and security, its launch’s controversy highlights the persistent tension between ideology and practicality in the crypto industry. As Ledger navigates this tumultuous terrain, the outcome will undoubtedly be a significant case study for crypto businesses worldwide.

The post Ledger’s new recovery service sparks controversy: Security innovation or privacy breach? first appeared on Coinfea.